DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QRV3-253H-G69C: GHSA-QRV3-253H-G69C: Path Traversal and Arbitrary Symlink Creation via configDependencies in pnpm

#security #cve #cybersecurity #ghsa

GHSA-QRV3-253H-G69C: Path Traversal and Arbitrary Symlink Creation via configDependencies in pnpm

Vulnerability ID: GHSA-QRV3-253H-G69C
CVSS Score: 8.3
Published: 2026-06-27

A high-severity path traversal vulnerability exists in the pnpm package manager. By crafting a malicious lockfile (pnpm-lock.yaml) with path traversal characters in the configDependencies block, an attacker can create arbitrary directories and symlinks outside the project's node_modules/.pnpm-config directory. This exploitation happens automatically during pnpm installation, even when executing with scripts disabled via the --ignore-scripts flag.

TL;DR

A path traversal vulnerability in pnpm's configDependencies handling allows malicious lockfiles to create arbitrary directories and symbolic links outside of node_modules, bypassing the execution boundaries of --ignore-scripts during package installation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network (AV:N)
  • CVSS v3.1 Score: 8.3
  • EPSS Score: N/A
  • Impact: Integrity (High)
  • Exploit Status: Proof of Concept (PoC) Available
  • KEV Status: Not Listed

Affected Systems

  • pnpm package manager for Node.js
  • pnpm: >= 0 < 10.34.4 (Fixed in: 10.34.4)
  • pnpm: >= 11.0.0 < 11.8.0 (Fixed in: 11.8.0)

Code Analysis

Commit: 352ae48

Ensure valid config dependency names and versions to prevent path traversal in config installer

diff --git a/config/deps-installer/src/assertValidConfigDepName.ts b/config/deps-installer/src/assertValidConfigDepName.ts
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Security Advisory: Exploit methodology and execution summary detail showing the traversal behavior of configuration installer keys.

Mitigation Strategies

  • Upgrade pnpm to version 10.34.4+ or 11.8.0+ depending on the release line in use.
  • Execute automated lockfile parsing and linting in CI/CD pipelines to block the pull-request phase if traversal sequences are found within pnpm-lock.yaml.
  • Run package installations inside isolated containerized environments to restrict the impact of path escapes on the host filesystem.

Remediation Steps:

  1. Verify the current version of the pnpm client by running 'pnpm -v'.
  2. Upgrade the package manager globally using 'npm install -g pnpm@latest' or 'npm install -g pnpm@11.8.0'.
  3. Add validation engine rules in project package.json files to strictly require secure versions of pnpm.

References

Read the full report for GHSA-QRV3-253H-G69C on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)